oss-sec mailing list archives

Re: CVE? CCE? dovecot setting is often used incorrectly


From: Robert Buchholz <rbu () gentoo org>
Date: Sat, 8 Mar 2008 18:18:48 +0100

On Saturday 08 March 2008, Florian Weimer wrote:
* Jonathan Smith:
I've been trying to figure out what to do with this one. I'm not
inclined to believe it deserves a CVE given that it is
configuration (either dovecot config or filesystem permissions
configuration). I read once on mitre.org about "Common
Configuration Enumeration" aka "CCE" issues, but I've never seen
them actually used. Maybe this is a good candidate?

Debian will release a security update with a patch, so we need a CVE
anyway.  We might use one from our pool (after all, it's an interplay
between our default MTA and Dovecot, and may not be very widespread),
or we might reference a generic one.  I don't know which one is
better.

For the generic issue you can use CVE-2008-1199.

Robert

Attachment: signature.asc
Description: This is a digitally signed message part.


Current thread: